Massimo Marino, Advanced Accelerator Applications, a Novartis company
We live in the age of cyberattacks, with consequent events of data security breaches and loss incidents which now, under the EU’s General Data Protection Regulation (GDPR), puts an additional burden to companies confronted with the GDPR requirement of data breach notifications directly with the Data Protection Authorities and, depending on the extent of the damage to individuals, to the affected data subjects.
GDPR asks for increased data governance and security measures in place. Data of various nature may contain personal, financial, health data, and more and a proper data classification and controls on the data life cycle within organization have to be treated accordingly to the risk and damage any unlawful or negligent data treatment might cause.
In general, risk and data management is easier with structured data whose access rights can be strictly monitored and enforced, but organizations soon find that unstructured data present a much bigger challenge. In a sense, this data often constitute the majority of identifiable information on individuals and a sort of blind spot which is critical under the GDPR.
A first rule of thumb, also enforced by GDPR principle of data minimization and non-exceeding information, organizations could well start by avoiding the risk and getting rid of sensitive data which are redundant or no more needed, thus minimizing the risk associated with identified threats.
The crucial data governance start with data discovery: at any point in time during the data life cycle a priority is to find, tag, and control access and what can be done with the data itself. In addition to this, proper handling would entail data cleanup, enforcing data visibility and existing data policy and automate life cycle management with rules for retention and erasure. At a minimum, demonstrate authorities that also unstructured data is under control within the organization and ensure that data subject request rights (GDPR art. 12-23) can be honoured in this case as well.
The above rests on the capability of detect sensitive data within unstructured data so to be able to enforce rules and eliminate classification gaps on personal identifiable information (PII).
An ideal scenario would allow to discover, inspect, and act on unstructured data accordingly to how sensitive they are and either remove related files/documents, move to secured data storage areas with strict controlled access, deleted or ignored. Automated data discovery would enable to respond to Subject Access Requests with workflows to identify, validate, and even export files containing PII with reduced effort.
It is not surprising that organizations are not confident in their current data security posture and on the look for affordable and efficient solutions to minimize security breaches and maximize confidence during data treatments. With unstructured data, the threats range from phishing, insider attacks/negligence, unauthorized access, lack of knowing what the organization know with possibly data security breaches thus going undetected. PIIs, IP data, and sensitive data (health data included) are considered most at risk with subsequent data loss, disrupted business activities, and negative publicity.
Surprisingly, automated data discovery is still in its infancy and, at times, considerable effort with new system and infrastructure integrate in an existing information security management systems.
It is not enough to adopt encryption at large scale and having monitoring controls in place if you don’t know where your sensitive unstructured data are and who can access them.
As DPO for my organization, I and my team have explored a possible automated discovery and classification of sensitive data solution which will help toward achieving compliance with GDPR and more serene nights in the future. Automated discovery and classification will ease negative impact from common pushback from users, lack of management support, and lack of effective security solutions in the market which are not GDPR-ready yet.
You have missed out some details, please try again.